Overview

overview

10

Static

static

10

ab29c757d3...c0.exe

windows7-x64

10

ab29c757d3...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab29c757d33926666e100616d1c7c4c0.exe

  • Size

    116KB

  • MD5

    ab29c757d33926666e100616d1c7c4c0

  • SHA1

    c738819e060055d37883f31d873432abdf0bb6d7

  • SHA256

    9f9441445790e2b9c7a17b3664a2c11edcf65e711dc633b0387564683d127948

  • SHA512

    1e9e8e77a325b1463ecb04e94a0d41263a904336270beee9d68b2eeb7d7336f857284b3237ca438ded81c5e43509d2d913dd9e95f10ba180905a65d1678b729d

  • SSDEEP

    3072:lb8oq/FWQDxX9Rf/bUH9B18vrsKoks4KOxqodjIezi:lgoJexrS9j0YKTs4KOx3jIezi

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab29c757d33926666e100616d1c7c4c0.exe
    "C:\Users\Admin\AppData\Local\Temp\ab29c757d33926666e100616d1c7c4c0.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:1940
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\install.tmp
    Filesize

    70B

    MD5

    3c7e1d924a4b2ab70a3b8dc63b99a4db

    SHA1

    247d998309b4f8193cd44563de502604f20d6a2d

    SHA256

    79378ba39f85e2f48983a2f99a706c06049c906737c6f73e7d59a70ac2abbe2a

    SHA512

    85a8b557276e50b39c73eed2858ecca4c079426a1b18b7ec6002e50c683974b500076b1a244a0ee6699bcef7892622aa5893fedbb1123f61968321d77d8bb045

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dll.tmp
    Filesize

    95KB

    MD5

    cc20396466ef1a30eed301d07820f388

    SHA1

    c0d5385d454b40129e645de4ef38edac4812c680

    SHA256

    c515a56f0cbadd89dd650120826e457c6f2ea62a6f8808901c8e35432d7e15ad

    SHA512

    d95a286bb31fb023a7c568e281f40423b31187b5aff8c77db6d21f909957a56cf43c5c10d985f0ab9f30e9ed9cea606eb691b0e819b23d4ebe6a6dd9eef80931

    Download Submit

  • memory/1940-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1940-13-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download